<?php

function xssFilter($string) 
{
    $ra=Array('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/','/script/','/javascript/','/vbscript/','/expression/','/applet/','/meta/','/xml/','/blink/','/link/','/style/','/embed/','/object/','/frame/','/layer/','/title/','/bgsound/','/base/','/onload/','/onunload/','/onchange/','/onsubmit/','/onreset/','/onselect/','/onblur/','/onfocus/','/onabort/','/onkeydown/','/onkeypress/','/onkeyup/','/onclick/','/ondblclick/','/onmousedown/','/onmousemove/','/onmouseout/','/onmouseover/','/onmouseup/','/onunload/');
        $data=str_replace(array('&','<','>'),array('&amp;','&lt;','&gt;'),$data);   
    if (!get_magic_quotes_gpc())             //不对magic_quotes_gpc转义过的字符使用    addslashes(),避免双重转义。
    {
       $string  = addslashes($string);           //给单引号（'）、双引号（"）、反斜线（\）与 NUL（NULL 字符）加上反斜线转义
    }
    $string       = preg_replace($ra,'',$string);     //删除非打印字符，粗暴式过滤xss可疑字符串
    $laststring     = htmlentities(strip_tags($string)); //去除 HTML 和 PHP 标记并转换为 HTML 实体
    return $laststring;
}
// $username = xssFilter($_POST['username']);
// $email = xssFilter($_POST['email']);
// $content = xssFilter($_POST["content"]);
// $page = $_POST["page"];
// $time =  date("Y-m-d H:i:s");

$username = $_POST['username'];
$email = $_POST['email'];
$content = $_POST["content"];
$page = $_POST["page"];
$time =  date("Y-m-d H:i:s");

require('xsshtml.class.php');

$xss = new XssHtml($username);
$username = $xss->getHtml();

$xss = new XssHtml($email);
$email = $xss->getHtml();

$xss = new XssHtml($content);
$content = $xss->getHtml();


// echo $page."<br>".$time."<br>".$content."<br>".$email."<br>".$username;


$sql = "INSERT INTO comments (time, page, username, email, content) 
VALUES ('".$time."','".$page."', '".$username."', '".$email."', '".$content."')";

$conn = mysqli_connect("localhost", "root", "Passw0rdTypecho","bestscu_wenake_t");
 
// 检测连接
if (!$conn) {
    echo "{'status': false; 'msg': 评论失败}";
    die("Connection failed: " . mysqli_connect_error());
}
try{
  mysqli_query($conn,$sql);
  echo "{'status': true; 'msg': 评论成功}";
}
catch(Exception $e){
  // echo $e->getMessage();
  echo "{'status': false; 'msg': 评论失败}";
  die();
}


mysqli_close($conn);

?>